?ReproducibleBuildsKernel

This page describes how to build Debian kernel in an reproducible (verifiable - see [ReproducibleBuilds]) way for security reasons.

As of now (2013-11) this work is:

Steps:

See general instructions: [ReproducibleBuilds] how ever they are mainly for step 2,3.

We are trying to create a script that does this deterministic build in a bit more automated way with added:

This page should be usable for everyone in Debian, and script we're writing will be later easy to run in pure-Debian mode too.

Script will be published on [https://github.com/mempo/deterministic-kernel] please consider it absolute pre-alpha.

Tests

Here we paste research data.

== Test20131127 ==

Authors: members of Mempo project
Kernel version: 3.2.52 
Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ 
Kernel extra patches: grsecurity patch
Kernel was built: 2 times.
Build tool: using mempo script.
Computer: built on same computer each time.
Directory: built in same directory path each time.
Fakedate: yes, using faketime 2013-11-24 20:32:00
Dpkg: not fixed (regular version from Debian 7)
System: build on Debian 7.1 amd64, gcc version 4.7.2-1, linux kernel 3.2.46; 
Build date: 2013-11-27
Machine name: (t/wb)

Results:
.o - all identical
.ko - all inentical 
vmlinuz - different
.deb - different   
.gz - different

Disabled grsecurity option CONFIG_PAX_LANTENT_ENTROPY makes *.ko files deterministic - these files compiled twice have the same checksums. This option generates some entropy during boot.
Now we working with *.gz files - now their checksums are different, but contain files with the same checksums.

Test20131029

Authors: members of Mempo project
Kernel version: 3.2.51 
Kernel deterministic patches: custom patch to remove __TIME__ and __DATE__ 
Kernel extra patches: grsecurity patch
Kernel was built: 2 times.
Build tool: using mempo script.
Computer: built on same computer each time.
Directory: built in same directory path each time.
Fakedate: yes, using faketime 2013-10-19 12:58:00
Dpkg: not fixed (regular version from Debian 7)
System: build on Debian 7.1 amd64, gcc version 4.7.2-1, linux kernel 3.2.46; 
Build date: 2013-10-29
Machine name: (t/wb)

Results:
.o - all identical
.ko - some match, not all (22909 files are the same and 2539 are different) [SOLVED]
vmlinuz - different
.deb - different

List of checksums:

Expamle different .ko files:

Example with differences dissassembled .ko files:

We use to disassemble "objdump -d" command.

We would like to invite You to work with out on this topic! Contact us at: #mempo at irc.freenode.org

Shouldn't this be discussed on #debian-kernel on OFTC?

You can help us! Build kernel deterministic using our tools: https://github.com/Happuri/deterministic-kernel

It's very easy, You must follow this instruction:

Needed packages:
apt-get install faketime git build-essential libncurses5-dev libncursesw5-dev kernel-package md5deep gcc-4.7-plugin-dev -y  

Download tools:
git clone git@github.com:Happuri/deterministic-kernel.git

Compile:
./run.sh

Important: You must run compilation every time in the same path (You can create user for this) e.g. /home/kernel-builder/

[CategoryKernel]